Skip to content

Commit 6b69907

Browse files
deads2kironcladlou
deads2k
authored and
ironcladlou
committed
UPSTREAM: 49133: update permissions to allow block owner deletion
:100644 100644 2db7f3d03d... a040a311f2... M plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go :100644 100644 4f97e5416b... fd67e7b7a4... M plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
1 parent db9cafc commit 6b69907

File tree

2 files changed

+14
-7
lines changed

2 files changed

+14
-7
lines changed

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go

+7-7
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ func init() {
7171
addControllerRole(rbac.ClusterRole{
7272
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "cronjob-controller"},
7373
Rules: []rbac.PolicyRule{
74-
rbac.NewRule("get", "list", "watch", "update").Groups(batchGroup).Resources("cronjobs").RuleOrDie(),
74+
rbac.NewRule("get", "list", "watch", "update", "delete").Groups(batchGroup).Resources("cronjobs").RuleOrDie(),
7575
rbac.NewRule("get", "list", "watch", "create", "update", "delete", "patch").Groups(batchGroup).Resources("jobs").RuleOrDie(),
7676
rbac.NewRule("update").Groups(batchGroup).Resources("cronjobs/status").RuleOrDie(),
7777
rbac.NewRule("list", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
@@ -81,7 +81,7 @@ func init() {
8181
addControllerRole(rbac.ClusterRole{
8282
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "daemon-set-controller"},
8383
Rules: []rbac.PolicyRule{
84-
rbac.NewRule("get", "list", "watch").Groups(extensionsGroup).Resources("daemonsets").RuleOrDie(),
84+
rbac.NewRule("get", "list", "watch", "delete").Groups(extensionsGroup).Resources("daemonsets").RuleOrDie(),
8585
rbac.NewRule("update").Groups(extensionsGroup).Resources("daemonsets/status").RuleOrDie(),
8686
rbac.NewRule("list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
8787
rbac.NewRule("list", "watch", "create", "delete", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
@@ -93,7 +93,7 @@ func init() {
9393
addControllerRole(rbac.ClusterRole{
9494
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "deployment-controller"},
9595
Rules: []rbac.PolicyRule{
96-
rbac.NewRule("get", "list", "watch", "update").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
96+
rbac.NewRule("get", "list", "watch", "update", "delete").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
9797
rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/status").RuleOrDie(),
9898
rbac.NewRule("get", "list", "watch", "create", "update", "patch", "delete").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
9999
// TODO: remove "update" once
@@ -151,7 +151,7 @@ func init() {
151151
addControllerRole(rbac.ClusterRole{
152152
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "job-controller"},
153153
Rules: []rbac.PolicyRule{
154-
rbac.NewRule("get", "list", "watch", "update").Groups(batchGroup).Resources("jobs").RuleOrDie(),
154+
rbac.NewRule("get", "list", "watch", "update", "delete").Groups(batchGroup).Resources("jobs").RuleOrDie(),
155155
rbac.NewRule("update").Groups(batchGroup).Resources("jobs/status").RuleOrDie(),
156156
rbac.NewRule("list", "watch", "create", "delete", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
157157
eventsRule(),
@@ -208,7 +208,7 @@ func init() {
208208
addControllerRole(rbac.ClusterRole{
209209
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "replicaset-controller"},
210210
Rules: []rbac.PolicyRule{
211-
rbac.NewRule("get", "list", "watch", "update").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
211+
rbac.NewRule("get", "list", "watch", "update", "delete").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
212212
rbac.NewRule("update").Groups(extensionsGroup).Resources("replicasets/status").RuleOrDie(),
213213
rbac.NewRule("list", "watch", "patch", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
214214
eventsRule(),
@@ -218,7 +218,7 @@ func init() {
218218
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "replication-controller"},
219219
Rules: []rbac.PolicyRule{
220220
// 1.0 controllers needed get, update, so without these old controllers break on new servers
221-
rbac.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(),
221+
rbac.NewRule("get", "list", "watch", "update", "delete").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(),
222222
rbac.NewRule("update").Groups(legacyGroup).Resources("replicationcontrollers/status").RuleOrDie(),
223223
rbac.NewRule("list", "watch", "patch", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
224224
eventsRule(),
@@ -261,7 +261,7 @@ func init() {
261261
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "statefulset-controller"},
262262
Rules: []rbac.PolicyRule{
263263
rbac.NewRule("list", "watch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
264-
rbac.NewRule("get", "list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
264+
rbac.NewRule("get", "list", "watch", "delete").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
265265
rbac.NewRule("update").Groups(appsGroup).Resources("statefulsets/status").RuleOrDie(),
266266
rbac.NewRule("get", "create", "delete", "update", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
267267
rbac.NewRule("get", "create", "delete", "update", "patch", "list", "watch").Groups(appsGroup).Resources("controllerrevisions").RuleOrDie(),

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml

+7
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,7 @@ items:
102102
resources:
103103
- cronjobs
104104
verbs:
105+
- delete
105106
- get
106107
- list
107108
- update
@@ -154,6 +155,7 @@ items:
154155
resources:
155156
- daemonsets
156157
verbs:
158+
- delete
157159
- get
158160
- list
159161
- watch
@@ -221,6 +223,7 @@ items:
221223
resources:
222224
- deployments
223225
verbs:
226+
- delete
224227
- get
225228
- list
226229
- update
@@ -492,6 +495,7 @@ items:
492495
resources:
493496
- jobs
494497
verbs:
498+
- delete
495499
- get
496500
- list
497501
- update
@@ -738,6 +742,7 @@ items:
738742
resources:
739743
- replicasets
740744
verbs:
745+
- delete
741746
- get
742747
- list
743748
- update
@@ -781,6 +786,7 @@ items:
781786
resources:
782787
- replicationcontrollers
783788
verbs:
789+
- delete
784790
- get
785791
- list
786792
- update
@@ -956,6 +962,7 @@ items:
956962
resources:
957963
- statefulsets
958964
verbs:
965+
- delete
959966
- get
960967
- list
961968
- watch

0 commit comments

Comments
 (0)